Query Refused problem

Sven Eschenberg sven at whgl.uni-frankfurt.de
Thu Oct 1 17:10:55 UTC 2009 

Funny enough, I did not have any allow-query at all, but adding 
allow-query {any;} did indeed change the behavior. But allow-query-cache 
obviously defaults to localhost, localnets and was triggering the 
behavior that confused me.

Inbetween I overhauled the config, setting all the options explicitly 
where needed, instead of building on default behavior and everything 
works as expected now. Lessen learned: Ignore defaults, always set 
things as YOU want them to be :-).

Thanks for your reply though.

Regards

-Sven


Matus UHLAR - fantomas schrieb:
> On 30.09.09 15:59, Sven Eschenberg wrote:
>> When I had no allow-query statement at all in my config, everything  
>> worked find (includign recursion) for all clients, that were in subnets  
>> directly attached to the server. The external view (authoriative, non  
>> recursive) did work for every client as supposed to.
>> Now a client on a not directly attached subnet, with it's own view,  
>> could not resolve anything, except local zones on the server. (Though  
>> recursion was turned on for the view).
>> External view's clients could nto recurse, though recursion was turned  
>> on, obviously to realyl recurse I'd need an allow-query statement.
>>
>> Adding an allow-query statement to the general config, limitied to the  
>> campus network made all local views work, but with the result, that no  
>> client matching the external view could looks up the authoriative zones.
>>
>> Now, I am wondering if I did set uop everything right afterall, here's  
>> what I did do:
>>
>> External view, no recursion, allow-query {any;}
>> Not directly attached client with internal view: match on client's ip,  
>> allow recursion, allow query for the client's ip.
>> all other internal views, matched by locally attached netowrks, no  
>> allow-query statement, allow recursion.
>>
>> This seems to work.
>>
>> I am wondering: Would it be harmfull to allow queries by any host  
>> (globally) as long as external clients (in their view) are not allowed  
>> any recursion? Would that be more feasible?
> 
> allow-query { any; }; is default. Do you have any other allows's ?
> 
> the first error message indicated that you didn't allow query-cache or recursion
> for some clients. Apparently you cloned a view but forget to allow either
> one in the new view...
>

More information about the bind-users mailing list